diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 98418ca50669..01b93e48a2e6 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -34,7 +34,7 @@ jobs:
       - name: Checkout repo
         uses: actions/checkout@v6
       - name: Check changed files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: filter
         with:
           filters: |
@@ -98,7 +98,7 @@ jobs:
     if: needs.changes.outputs.helm == 'true'
     steps:
       - uses: actions/checkout@v6
-      - uses: azure/setup-helm@v4
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - run: helm plugin install https://github.com/instrumenta/helm-kubeval
@@ -151,7 +151,7 @@ jobs:
             test/package-lock.json
       - run: SKIP_SUBMODULE_DEPS=1 npm ci
       - run: npm run test:unit
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
         if: success()
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -167,7 +167,7 @@ jobs:
         with:
           submodules: true
       - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@latest
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
         with:
           packages: quilt
           version: 1.0
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f59767c4fc4e..16d5d578edac 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -33,7 +33,7 @@ jobs:
           node-version-file: .node-version
 
       - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: ${{ github.event.inputs.version || github.ref_name }}
@@ -43,9 +43,10 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
       - run: npm run publish:npm
         env:
           VERSION: ${{ env.VERSION }}
@@ -88,11 +89,12 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
       - name: Validate package
-        uses: heyhusen/archlinux-package-action@v3.0.0
+        uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -119,19 +121,19 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -140,11 +142,12 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
       - name: Download deb artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
@@ -152,7 +155,7 @@ jobs:
           out-file-path: "release-packages"
 
       - name: Download rpm artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a1904a6d9954..fdd41f7416dc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -111,14 +111,15 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
       - env:
           VERSION: ${{ env.VERSION }}
         run: npm run package $PKG_ARCH
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -171,15 +172,16 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
         run: npm run package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -232,15 +234,16 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
         run: npm run package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -257,7 +260,7 @@ jobs:
         with:
           name: npm-release-package
 
-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           draft: true
           discussion_category_name: "📣 Announcements"
@@ -269,7 +272,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v16
+        uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3 # v16
         id: download
         with:
           branch: ${{ github.ref }}
@@ -284,9 +287,10 @@ jobs:
       # Strip out the v (v4.9.1 -> 4.9.1).
       - name: Get and set VERSION
         run: |
-          TAG="${{ inputs.version || github.ref_name }}"
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
       - name: Modify version
         env:
           VERSION: ${{ env.VERSION }}